Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-09-2024 04:20
General
-
Target
ea929ecd8d8efacf94e0f2c8ed4b3f1e_JaffaCakes118.exe
-
Size
768KB
-
MD5
ea929ecd8d8efacf94e0f2c8ed4b3f1e
-
SHA1
05353df8871af9b77ca2c52a589f72496be43a7b
-
SHA256
646a9d16d574eba1abdd98582c718ba3ec12c8d0d1db7cea68e7665b3091fc8a
-
SHA512
6582087b654e893cf26c3825e6e0648328bc38720b2d3c97179e07d2be85efd4daeaf041b783afb0f3c2a007c85dc80ef1c6860111bd259d3f24b20927a6e099
-
SSDEEP
24576:u9PKupMkO+Xtqf9W5PTFnpfywjCGA4i/28cH:0SIMatqVObFnpqQ0TO8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
ModiLoader Second Stage 27 IoCs
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 30 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ea929ecd8d8efacf94e0f2c8ed4b3f1e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea929ecd8d8efacf94e0f2c8ed4b3f1e_JaffaCakes118.exe"2⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\apocalyps32.exe-bs3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5ea929ecd8d8efacf94e0f2c8ed4b3f1e
SHA105353df8871af9b77ca2c52a589f72496be43a7b
SHA256646a9d16d574eba1abdd98582c718ba3ec12c8d0d1db7cea68e7665b3091fc8a
SHA5126582087b654e893cf26c3825e6e0648328bc38720b2d3c97179e07d2be85efd4daeaf041b783afb0f3c2a007c85dc80ef1c6860111bd259d3f24b20927a6e099
-
Filesize
80KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB